Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crio embeds build #3702

Closed
bmwiedemann opened this issue Apr 30, 2020 · 7 comments · Fixed by #3708
Closed

crio embeds build #3702

bmwiedemann opened this issue Apr 30, 2020 · 7 comments · Fixed by #3708

Comments

@bmwiedemann
Copy link
Contributor

BUG REPORT INFORMATION

Description

While working on reproducible builds for openSUSE, I found that
when building the cri-o package, there were slight differences between each build.

See https://reproducible-builds.org/ for why this matters.

Steps to reproduce the issue:

osc co openSUSE:Factory/cri-o && cd $_
for N in 1 2 ; do
    osc build --keep-pkg=RPMS.$N
    unrpm RPMS.$N/cri-o-1.18.0-*.x86_64.rpm
    strings usr/bin/crio > $N.strings
done
diff -u {1,2}.strings

Describe the results you received:

crio and crio-status binaries differed thusly:

/usr/bin/crio-status differs in ELF section .rodata
--- hexdump /usr/bin/crio-status  2020-04-30 02:43:45.560785070 +0000
+++ hexdump /usr/bin/crio-status  2020-04-30 02:43:46.504791551 +0000
@@ -448606,8 +448606,8 @@
  1f28590 61726765 00000000 00000000 00000000  arge............
  1f285a0 01010101 02020303 04060708 090a0b0c  ................
  1f285b0 0d0e0f10 00000000 00000000 00000000  ................
- 1f285c0 32303230 2d30342d 33305430 323a3337  2020-04-30T02:37
- 1f285d0 3a31385a 00000000 00000000 00000000  :18Z............
+ 1f285c0 32303335 2d30362d 30325431 353a3535  2035-06-02T15:55
+ 1f285d0 3a35325a 00000000 00000000 00000000  :52Z............

Describe the results you expected:

It should be possible to get identical build results anytime. If a build timestamp must be kept, it can be normalized with SOURCE_DATE_EPOCH . See https://reproducible-builds.org/specs/source-date-epoch/ for the definition of this variable.

Output of crio --version:
1.18

Additional environment details (AWS, VirtualBox, physical, etc.):
openSUSE-Tumbleweed 20200427
@afbjorklund
Copy link
Contributor

For some reason, the "BuildDate" is in the API:

https://github.com/kubernetes/apimachinery/blob/master/pkg/version/types.go#L28

It could still be faked (zeroed) instead, I suppose.

1970-01-01T00:00:00Z

@afbjorklund
Copy link
Contributor

The best would be to make it (too) into a make variable:

        -X ${PROJECT}/internal/pkg/criocli.DefaultsPath=${DEFAULTS_PATH} \
        -X ${PROJECT}/internal/version.buildDate=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ') \
        -X ${PROJECT}/internal/version.gitCommit=${COMMIT_NO} \
        -X ${PROJECT}/internal/version.gitTreeState=${GIT_TREE_STATE} \

Then it would be easy to set it, just like GIT_COMMIT today.

DATE_FMT = +'%Y-%m-%dT%H:%M:%SZ'
ifdef SOURCE_DATE_EPOCH
    BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "$(DATE_FMT)" 2>/dev/null || date -u "$(DATE_FMT)")
else
    BUILD_DATE ?= $(shell date -u "$(DATE_FMT)")
endif

@haircommander
Copy link
Member

would you like to submit a PR with the fixes you're describing @afbjorklund ?

@afbjorklund
Copy link
Contributor

Oh no, I see that somebody has changed GIT_COMMIT in 720545f

That means my cri-o build is wrong, it is now COMMIT_NO instead...

@afbjorklund
Copy link
Contributor

would you like to submit a PR with the fixes you're describing @afbjorklund ?

I can do that, not using SOURCE_DATE_EPOCH myself (but I like the idea)

@afbjorklund
Copy link
Contributor

afbjorklund commented Apr 30, 2020
edited

The problem with calling git during the build, is that it gets the wrong information.

For some reason it thinks it is in the cri-o git, while I am still building from a tarball...

I'm sure the opensuse RPM has a similar issue ? (fedora had: #2923 (comment))

But maybe it ends up with unknown instead, if not using git while doing rpmbuild:

[   39s] GO111MODULE=on go build --mod=vendor  -ldflags '-s -w -X github.com/cri-o/cri-o/internal/pkg/criocli.DefaultsPath="" -X github.com/cri-o/cri-o/internal/version.buildDate=2020-04-28T20:44:49Z -X github.com/cri-o/cri-o/internal/version.gitCommit=unknown -X github.com/cri-o/cri-o/internal/version.gitTreeState=unknown  ' -tags "containers_image_ostree_stub apparmor    libdm_no_deferred_remove  seccomp selinux" -o bin/crio github.com/cri-o/cri-o/cmd/crio
[   71s] GO111MODULE=on go build --mod=vendor  -ldflags '-s -w -X github.com/cri-o/cri-o/internal/pkg/criocli.DefaultsPath="" -X github.com/cri-o/cri-o/internal/version.buildDate=2020-04-28T20:45:21Z -X github.com/cri-o/cri-o/internal/version.gitCommit=unknown -X github.com/cri-o/cri-o/internal/version.gitTreeState=unknown  ' -tags "containers_image_ostree_stub apparmor    libdm_no_deferred_remove  seccomp selinux" -o bin/crio-status github.com/cri-o/cri-o/cmd/crio-status

https://build.opensuse.org/package/live_build_log/openSUSE:Factory/cri-o/standard/x86_64

@afbjorklund
Copy link
Contributor

It actually had SOURCE_DATE_EPOCH for a while: d1696ce
But I'm not sure it did any good anyway, since both were added:

    -X ${PROJECT}/internal/version.buildInfo=${SOURCE_DATE_EPOCH} \
    -X ${PROJECT}/internal/version.buildDate=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ') \

So the builds were still not reproducible...

@afbjorklund afbjorklund mentioned this issue Apr 30, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for making reproducible builds afbjorklund/cri-o
3 participants
@bmwiedemann @haircommander @afbjorklund